This not work, iret return to the original EIP position, so i search how interrupt stack work, according this stack representation (Without error code) :

About iret instruction, if i want modify the "Return EIP register" i must push my new EIP on it ? Yes ? So after my CALL, i push like this _mytask1 for test :push eax
mov eax, _mytask1
mov ss:[esp]+0, eax
pop eax

But this not work..

I've seeing the content of "ss:[ESP]+0", the famous "Return EIP" before modifications, and i've every "0x16F".. what??

I've already executed on ring0, with cwsdpr0.exe on DOS..
I'm lost, if someone can help me?